Login

Improving workplaces and preventing wrongdoing through world-class training,education, and best practice resources.

Lessons Learned From The Equifax Data Breach

September 12, 2019

Equifax will pay between $575 million and $700 million to settle all claims related to the data breach it experienced in 2017. Plaintiffs include the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S. states and territories.

The FTC alleged that the credit reporting company failed to take basic steps to "secure the massive amount of personal information stored on its network." The FTC also accused Equifax of violating the Gramm-Leach-Bliley Act.

Equifax learned of a critical security vulnerability affecting its ACIS database in March 2017. According to the FTC, although Equifax's security team ordered the vulnerabilities be patched, the organization did not follow up to check that employees carried out the order.

In July 2017, Equifax learned that the database had not been patched when its security team detected suspicious traffic on the network. An investigation found that multiple hackers exploited the ACIS vulnerability to breach Equifax's network, access an unsecured file with administrative credentials in plain text, and then steal vast amounts of consumer personal information.

The hackers stole at least 147 million names and dates of birth, 145.5 million Social Security numbers, and 209,000 payment card numbers and expiration dates.

As part of the settlement, Equifax will pay $300 million to provide credit monitoring services to those affected by the 2017 breach. This fund will reimburse victims who purchased credit or identity monitoring services from Equifax or had other out-of-pocket expenses because of the breach. If $300 million does not cover the reimbursements, Equifax agreed to add $125 million to the fund.

Beginning in 2020, Equifax will provide all U.S. consumers six free credit reports annually for seven years. Equifax must also improve its data security in the future.

Equifax will pay civil penalties in the amount of $175 million to 48 states and two territories and $100 million to the CFPB. "Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach" ftc.gov (Jul. 22, 2019).

Commentary

According to the chairman of the FTC, "companies that profit from personal information have an extra responsibility to protect and secure that data." If your organization uses or stores customer data for any reason, you must implement strong cybersecurity protections and practices to keep that data secure.

The complaint against Equifax accused it of failing to do the following: 1. implement a policy to ensure that security vulnerabilities are patched; 2. segment its database servers to block access to other parts of the network in the event of a breach; 3. install robust intrusion detection protections for its legacy databases; and 4. encrypt network credentials and passwords, as well as Social Security numbers and other sensitive consumer information.

However, the most important issue was that someone failed to follow through with patching the system, and no one checked their work.

Avoid committing these mistakes in your organization. Segment your database servers and install strong cybersecurity protections. Require IT and other employees to immediately install updates whenever they are available. Have a policy requiring encryption of all sensitive information, such as administrative credentials and customer personal data.

The settlement that Equifax agreed to requires it to take the following cybersecurity measures: 1. designate an employee to oversee the information security program; 2. conduct annual assessments of internal and external security risks and implement safeguards to address potential risks; 3. test and monitor the effectiveness of the security safeguards;

4. ensure service providers that access personal information stored by Equifax also implement adequate safeguards to protect such data; and 5. have a third-party assess its information security program every two years.

All organizations that collect and store customers' personal information should consider the above practices.